b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                      The Internal Revenue Service\n                Deployed the Modernized e-File System With\n                      Known Security Vulnerabilities\n\n\n\n                                    December 30, 2008\n\n                           Reference Number: 2009-20-026\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review\n process and information determined to be restricted from public release has been redacted from\n                                          this document.\n\n Redaction Legend:\n 2(f) = Law Enforcement - Risk circumvention of Agency regulation or statute\n\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                             DEPARTMENT OF THE TREASURY\n                                                  WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                           December 30, 2008\n\n\n MEMORANDUM FOR COMMISSIONER, WAGE AND INVESTMENT DIVISION\n                CHIEF TECHNOLOGY OFFICER\n\n\n FROM:                   (for) Michael R. Phillips\n                               Deputy Inspector General for Audit\n\n SUBJECT:                     Final Audit Report \xe2\x80\x93 The Internal Revenue Service Deployed the\n                              Modernized e-File System With Known Security Vulnerabilities\n                              (Audit # 200720024)\n\n This report presents the results of our review to determine whether appropriate security controls\n have been implemented in the Modernized e-File (MeF) system. This review was part of the\n Information Systems Programs business unit\xe2\x80\x99s statutory requirements to annually review the\n adequacy and security of Internal Revenue Service (IRS) information technology.\n\n Impact on the Taxpayer\n The MeF system will provide a single method for filing all IRS tax returns, information returns,\n forms, and schedules via the Internet. The Modernized Tax Return Database (M-TRDB), a\n component of the MeF system, is the authoritative store of accepted returns and extensions\n submitted through the MeF system. Security weaknesses in the controls over system access,\n monitoring of system access, and disaster recovery have continued to exist even though key\n phases of the MeF system and the M-TRDB have been deployed. As a result, the IRS is\n jeopardizing the confidentiality, integrity, and availability of an increasing volume of tax\n information for millions of taxpayers as application phases are put into operation.\n\n Synopsis\n The IRS has established appropriate system development policies and procedures that require\n security and privacy safeguards to be planned for and designed in the early phases of a system\xe2\x80\x99s\n development life. Despite these requirements, our review of available test documents provided\n by the IRS showed that both the MeF system and the M-TRDB were deployed with known\n\x0c                    The Internal Revenue Service Deployed the Modernized e-File\n                            System With Known Security Vulnerabilities\n\n\n\nsecurity vulnerabilities relating to system access, monitoring of system activities, disaster\nrecovery, and protection of sensitive data. These vulnerabilities are in areas considered to be\nminimum security controls, and they increase the risks that 1) an unscrupulous person could gain\nunauthorized access to the vast amount of taxpayer information the IRS processes with little\nchance of detection and 2) the system could not be recovered effectively and efficiently during\nan emergency.\nWe believe that these security vulnerabilities are significant because they affect the IRS\xe2\x80\x99 ability\nto 1) restrict access to only those individuals with a business need, 2) monitor activities for\nquestionable transactions, 3) protect data from unauthorized disclosure, and 4) ensure continued\noperation of the systems. Many of these same vulnerabilities have been designated as a\nbureau-wide material weakness by the IRS. The significance of these security vulnerabilities is\nheightened because the MeF system is a critical modernized system that will affect the future\nsuccess of the IRS computing environment.\nThe MeF project office did not prevent and resolve known security vulnerabilities before\ndeployment of the system. The Submission Processing Executive Steering Committee, 1 which\nhas final milestone 2 exit approval authority, 1) did not provide sufficient oversight to ensure that\nsecurity controls were implemented and 2) signed off unconditionally on MeF system milestones\ndespite the existence of weaknesses repeatedly reported to the Committee. Finally, the\nCybersecurity organization recommended, and the MeF system owner approved, that the system\nbe fully accredited 3 without giving adequate consideration of what we view as significant\nsecurity vulnerabilities on the system. In our opinion, the system owner\xe2\x80\x99s acceptance of the\nexcessive risks associated with these security vulnerabilities was not reasonable.\nWe identified some of these same vulnerabilities in prior audit reports on modernization projects,\nincluding a September 2008 report on the Customer Account Data Engine and the Account\nManagement Services. 4 IRS management agreed with most of our prior report findings and\nresponded that they would ensure that security control requirements were planned for early in the\n\n1\n  The charter for the Submission Processing Executive Steering Committee shows that its primary objective is to\nensure that project objectives are met, risks are appropriately managed, and expenditures of enterprise resources are\nfiscally sound.\n2\n  Milestones provide for \xe2\x80\x9cgo/no-go\xe2\x80\x9d decision points in a project and are sometimes associated with funding approval\nto proceed.\n3\n  Accreditation is the official management decision given by the owner of an information system to authorize the\noperation of the system and to explicitly accept the risks.\n4\n  The Audit Trail System for Detecting Improper Activities on Modernized Systems Is Not Functioning (Reference\nNumber 2004-20-135, dated August 2004), Security Controls Were Not Adequately Considered in the Development\nand Integration Phases of Modernization Systems (Reference Number 2005-20-128, dated August 2005),\nImprovements Are Needed to Ensure the Use of Modernization Applications Is Effectively Audited (Reference\nNumber 2006-20-177, dated September 29, 2006), and The Internal Revenue Service Deployed Two of Its Most\nImportant Modernized Systems With Known Security Vulnerabilities (Reference Number 2008-20-163, dated\nSeptember 24, 2008).\n                                                                                                                   2\n\x0c                    The Internal Revenue Service Deployed the Modernized e-File\n                            System With Known Security Vulnerabilities\n\n\n\nEnterprise Life Cycle 5 process and that they were committed to addressing deficiencies in audit\nlogging on modernized systems. Until security control vulnerabilities are corrected, the IRS is\njeopardizing the confidentiality, integrity, and availability of an increasing volume of tax\ninformation for millions of taxpayers as MeF system phases are put into operation.\n\nRecommendations\nWe recommended that the Submission Processing Executive Steering Committee consider all\nsecurity vulnerabilities that affect the overall security of the MeF system and the M-TRDB\nbefore approving milestone exits. The Commissioner, Wage and Investment Division, and the\nChief Information Officer should provide more emphasis to the MeF project office to both\nprevent and resolve security vulnerabilities identified during Enterprise Life Cycle processes.\nThe Director, Electronic Tax Administration and Refundable Credits, Wage and Investment\nDivision, as the MeF system owner, should approve interim authorities to operate when\nsignificant security control weaknesses exist in system environments. These interim authorities\nto operate should contain specific terms and conditions in accordance with IRS policy that must\nbe met, including corrective actions to be taken by the information system owners and a required\ntime period for completion of the corrective actions, before authorities to operate are granted.\n\nResponse\nIRS management agreed with our recommendations. They will continue to follow the\ngovernance process documented in the Submission Processing Executive Steering Committee\ncharter, which includes the review of all security vulnerabilities, before milestone exits. They\nwill continue to follow the existing Enterprise Life Cycle processes for identifying, confirming,\nand resolving security vulnerabilities at the requirements, design, development, and testing life\ncycle stages, with an increased emphasis in both preventing and resolving security vulnerabilities\nidentified during the Enterprise Life Cycle processes. They will also strengthen the process for\ncapturing and documenting Executive Steering Committee meeting minutes.\nIRS management will continue to operate in accordance with policies and procedures, which\nstate that the Designated Approving Authority verifies that security assessments are conducted to\ndetermine that security controls are operating effectively, correctly implemented, and meeting\nsecurity requirements of the system. If and when they find that significant control weaknesses\nexist in the system environments, they will issue an interim authority to operate with the\nappropriate timelines based on the level of risk. Management\xe2\x80\x99s complete response to the draft\nreport is included as Appendix IV.\n\n5\n The Enterprise Life Cycle is a structured business systems development method that requires preparation of\nspecific work products during different phases of the development process.\n                                                                                                              3\n\x0c                  The Internal Revenue Service Deployed the Modernized e-File\n                          System With Known Security Vulnerabilities\n\n\n\n\nOffice of Audit Comment\nAlthough the IRS agreed with all of our recommendations, its related corrective actions are\nfocused on continuing to follow existing processes or strengthening current processes. As stated\nin the report, we believe that the existing security vulnerabilities were not caused by process\ndeficiencies. Instead, IRS offices did not carry out their responsibilities for ensuring that security\nweaknesses were corrected before deployment.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Acting Assistant Inspector General for Audit (Security and Information\nTechnology Services), at (202) 622-8510.\n\n\n\n\n                                                                                                    4\n\x0c                     The Internal Revenue Service Deployed the Modernized e-File\n                             System With Known Security Vulnerabilities\n\n\n\n\n                                         Table of Contents\n\nBackground .............................................................................................. Page 1\n\nResults of Review..................................................................................... Page 3\n         Security Vulnerabilities Were Not Given Sufficient\n         Attention During the Development and Accreditation\n         of the Modernized e-File System..................................................................Page 3\n                  Recommendations 1 and 2: ..............................................Page 11\n\n                  Recommendation 3:........................................................Page 12\n\n\nAppendices\n         Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 13\n         Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 15\n         Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 16\n         Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 17\n\x0c         The Internal Revenue Service Deployed the Modernized e-File\n                 System With Known Security Vulnerabilities\n\n\n\n\n                       Abbreviations\n\nIRS              Internal Revenue Service\nMeF              Modernized e-File\nM-TRDB           Modernized Tax Return Database\nNIST             National Institute of Standards and Technology\n\x0c                     The Internal Revenue Service Deployed the Modernized e-File\n                             System With Known Security Vulnerabilities\n\n\n\n\n                                             Background\n\nThe Internal Revenue Service (IRS) is currently undergoing a modernization effort to update its\ntax processing systems. One of its three 1 most important modernized systems is the\nModernized e-File (MeF) system. The MeF system will provide a single method for filing all\nIRS tax returns, information returns, forms, and schedules via the Internet. The Modernized Tax\nReturn Database (M-TRDB), a component of the MeF system, is the authoritative store of\naccepted returns and extensions submitted through the MeF system. The key drivers for the MeF\nsystem are to allow the IRS to collect more tax documents electronically and reduce the costs\nassociated with the inefficiencies of paper documents and manual processing, while enhancing\ncustomer service and increasing availability of taxpayer information. Internet-based filing\ndirectly supports the goal of revolutionizing how taxpayers transact and communicate with the\nIRS.\nThe Director, Electronic Tax Administration and Refundable Credits, Wage and Investment\nDivision, is the functional owner of the MeF system. The MeF system is being incrementally\ndeveloped over multiple releases. 2 The first release of the MeF system was originally deployed\nin January 2004 for the filing season. 3 The system is scheduled to cost $673 million to develop,\noperate, and maintain through Fiscal Year 2020, which is the project\xe2\x80\x99s planned completion date.\nRelease 4 of the MeF system, which was deployed in January 2007, allows for the processing of\nthe U.S. Return of Partnership Income (Form 1065) and associated forms and schedules 4 for Tax\nYear 2006 submissions. Previous releases of the MeF added the Return of Organization Exempt\nFrom Income Tax (Form 990); the U.S. Corporation Income Tax Return (Form 1120); and the\nApplication for Automatic 6-Month Extension of Time To File Certain Business Income Tax,\nInformation, and Other Returns (Form 7004). Future releases will add the redesigned\nForm 990 and the U.S. Individual Income Tax Return (Form 1040).\nThe MeF system is 1 of more than 200 computer systems maintained by the IRS to administer\nthe nation\xe2\x80\x99s tax system. The IRS stores sensitive financial and personal information for more\nthan 130 million individual taxpayers who file annual Federal income tax returns. Each tax\n\n\n\n\n1\n  The three projects at the heart of the IRS Business Systems Modernization program are the Modernized e-File, the\nCustomer Account Data Engine, and the Account Management Services systems.\n2\n  A release is a specific edition of software.\n3\n  The period from January through mid-April when most individual income tax returns are filed.\n4\n  This adds electronic file submission support for partnerships so that they might submit partnership-related forms in\nthe same way and through the same process as exempt organizations and corporations currently do through the MeF\nsystem.\n                                                                                                              Page 1\n\x0c                     The Internal Revenue Service Deployed the Modernized e-File\n                             System With Known Security Vulnerabilities\n\n\n\nreturn contains personally identifiable information, 5 such as the filer\xe2\x80\x99s name, address, Social\nSecurity Number, and other personal information. Because of the volume of data it maintains,\nthe IRS is an attractive target for criminals with the intent to commit identity theft by stealing\nand using someone else\xe2\x80\x99s identity for their own financial gain.\nLike all Federal Government agencies, the IRS should protect its computer systems by\nimplementing appropriate security controls to ensure the confidentiality, integrity, and\navailability of sensitive data, as recommended in the National Institute of Standards and\nTechnology (NIST) 6 Special Publication 800-53. 7 This Publication specifies the minimum\nbaseline of security controls that all Federal information systems must address, based on the\nsecurity categorization level for a system of high, moderate, or low. These security controls\ninclude system access, audit logging, and contingency planning.\nThe IRS is specifically required by Federal law to keep taxpayer data confidential and prevent\nunauthorized disclosure or browsing of taxpayer records. Section 6103 8 of the Internal Revenue\nCode prohibits the disclosure of tax returns and tax return information and requires that the\nstorage of such information be secured and restricted to only persons whose duties and\nresponsibilities require access. The Taxpayer Browsing Protection Act of 1997 9 also provided\ncriminal penalties and civil remedies to help ensure that tax returns and tax return information\nremain confidential. These requirements apply to all IRS computer systems that maintain\nsensitive data.\nThis review was performed at the offices of the Chief Information Officer in\nNew Carrollton, Maryland, and the Enterprise Computing Center in Martinsburg, West Virginia,\nduring the period September 2007 through August 2008. We conducted this performance audit\nin accordance with generally accepted government auditing standards. Those standards require\nthat we plan and perform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objective. We believe that\nthe evidence obtained provides a reasonable basis for our findings and conclusions based on our\naudit objective. Detailed information on our audit objective, scope, and methodology is\npresented in Appendix I. Major contributors to the report are listed in Appendix II.\n\n\n\n\n5\n  Personally identifiable information is any information that can potentially be used to uniquely identify, contact, or\nlocate a single person.\n6\n  The NIST, under the Department of Commerce, is responsible for developing standards and guidelines, including\nminimum requirements, for providing adequate information security for all Federal Government agency operations\nand assets.\n7\n  Recommended Security Controls for Federal Information Systems, Revision 1 published December 2006.\n8\n  26 U.S.C. Section 6103.\n9\n  26 U.S.C.A. Sections 7213, 7213A, 7431 (West 2006).\n                                                                                                                Page 2\n\x0c                    The Internal Revenue Service Deployed the Modernized e-File\n                            System With Known Security Vulnerabilities\n\n\n\n\n                                     Results of Review\n\nSecurity Vulnerabilities Were Not Given Sufficient Attention During\nthe Development and Accreditation of the Modernized e-File System\nThe IRS has established appropriate system development policies and procedures that require\nsecurity and privacy safeguards to be planned for and designed in the early phases of a system\xe2\x80\x99s\ndevelopment life cycle, called the Enterprise Life Cycle. 10 To ensure that projects progress\nsatisfactorily toward implementation of all security and privacy requirements, the IRS\nimplemented various evaluations that developmental projects must undergo prior to exiting the\ndifferent milestones 11 of the Enterprise Life Cycle. These evaluations include milestone reviews\nperformed by the Office of Privacy, Information Protection, and Data Security (the Office of\nPrivacy), the Information Technology Security Architecture and Engineering Office (the\nSecurity Engineering Office), and the Cybersecurity organization. In addition, the IRS annually\nupdates the security and privacy control requirements that all new and existing information\nsystems must address to comply with current NIST guidance. For new systems, the goals of\nthese requirements and evaluations are to ensure that 1) security has been considered and built\ninto systems and 2) no system is deployed with significant security vulnerabilities.\nDespite these requirements, our review of available test documents provided by the IRS showed\nthat the MeF system was deployed with known security vulnerabilities. For the MeF system and\nits database component, the M-TRDB, the following 13 security control vulnerabilities were\nidentified by the Office of Privacy, the Security Engineering Office, and the Cybersecurity\norganization during testing of its Release 4, which was deployed in January 2007.\n     1. Unauthorized users had direct access to the MeF system management console, 12\n        which provided system administrative functionalities such as the ability to change\n        security settings and web services configurations. Any IRS employee with access to\n        the Intranet could login to the console. Unauthorized access to the MeF system\n        management console increases the risk that the application might be compromised.\n     2. Security configuration settings on the MeF system servers and database were not\n        sufficiently restrictive. Weak configuration management leaves the database susceptible\n\n10\n   The Enterprise Life Cycle is a structured business systems development method that requires preparation of\nspecific work products during different phases of the development process.\n11\n   Milestones provide for \xe2\x80\x9cgo/no-go\xe2\x80\x9d decision points in a project and are sometimes associated with funding\napproval to proceed.\n12\n   The IBM WebSphere\xc2\xae Console is used to process web services requests and remote applications belonging to\ntransmitters or State Governments.\n                                                                                                         Page 3\n\x0c                                                                                                                          -      -\n\n\n\n                          ,      The Internal Revenue Service Deployed the Modernized e-File\n       i\n                                         System With Known Security VuInerarb///tes\n\n\n\n                    to known exploitable vulnerabilities as well as potentially allowing unauthorized\n                    modifications to its data.\n                3. Information input restrictions for State Government electronic tax filings were not\n                   in place on the MeF system. Without strict information input restrictions, the MeF\n                   system might accept invalid data from State transmitters, which could affect the integrity\n                   of MeF system data.\n                4. The processes for establishing and confirming user identification on the MeF system\n                   did not meet Federal Government standards for accrediting cryptographic\n                   modules.13 Weak identification and authentication controls increase the risk that an\n                   unauthorized user might gain undetected access to the MeF system and compromise the\n                   confidentiality, accuracy, validity, and availability of application data.\n                5. Database users had more access privileges than they needed to carry out their\n                   responsibilities. Unnecessary access privileges increase the risk that an unauthorized\n                   user might gain undetected access to the MeF system and compromise the confidentiality,\n                   accuracy, validity, and availability of application data.\n                6 . After the maximum number of consecutive unsuccessful login attempts, the MeF\n                     system did not enforce automatic account locks on user accounts for a minimum of\n                     24 hours in accordance with IRS policies. The account lockout feature was set to\n2(f)\n                   .               An insufficient lockout mechanism allows a user multiple attempts to gain\n                     access to a system, thus increasing the risk that the application data might be\n                     compromised.\n                7. Several database user accounts had multiple invalid password settings that were not\n                   in accordance with IRS policy. Weak authentication controls increase the opportunity\n                   for an unauthorized user to gain access to the application, thus increasing the risk that the\n                   application data might be compromised.\n                8. System users with limited access needs were granted full access to database records.\n                   Also, database administrator privileges were provided to non-database\n                   administrative personnel. Weak identification controls increase the opportunity for an\n                   unauthorized user to gain access to the application, thus increasing the risk that the\n                   application data might be compromised.\n               9. The MeF system and database have a number of audit logI4weaknesses, including\n                  1) all required auditable events are not being captured, 2) no official has been\n\n\n           l 3 The Federal lnfonnation Processing Standard 140-2 is a Federal Government computer security standard used to\n           accredit cryptographic modules (i.e., practice or study of hiding information).\n           l 4 An audit log is a chronological record of activities that allows for the reconstruction, review, and examination of a\n           transaction from inception to final results. Audit logs can be used to detect unauthorized accesses to computer\n           networks.\n                                                                                                                            Page 4\n\x0c                  The Internal Revenue Service Deployed the Modernized e-File\n                          System With Known Security Vulnerabilities\n\n\n\n       assigned to monitor and maintain system audit mechanisms, 3) no database audit\n       reduction tools were used, and 4) certain users that should have limited access have\n       full capabilities to access database records, including taxpayer information. Without\n       proper audit controls, system compromise could go undetected, resulting in prolonged\n       unauthorized access that could otherwise be restricted or prevented. Consequently, the\n       confidentiality, integrity, and availability of the taxpayer records maintained by the MeF\n       system could be affected.\n   10. An audit log review process was not in place, and logs were not being reviewed by\n       MeF system officials. Weak supervision and review of user activities increases the\n       opportunity for a user to perform undesirable actions that could go undetected by\n       organization officials.\n   11. An alternate processing site agreement had not been established for the MeF\n       system. To ensure the continued operation of the system in the event of a failure or\n       disaster, written agreements should be in place to continue processing at an alternate site.\n   12. Reports containing personally identifiable information were transmitted in clear\n       text. Failure to protect the integrity of transmitted information could allow unauthorized\n       access to the information and exposes the IRS to unnecessary risks.\n   13. System and database administrators used insecure methods to transmit MeF system\n       data within the IRS. Failure to comply with security configuration standards and\n       requirements could permit an attacker to compromise the confidentiality, integrity, and\n       availability of the system and its data.\nMissing security controls in the MeF system relate mainly to system access, audit logging,\ndisaster recovery, and the protection of sensitive data. These security vulnerabilities increase the\nrisks that an unscrupulous person could gain unauthorized access to the vast amount of taxpayer\ninformation the IRS processes with little chance of detection and that the system could not be\nrecovered effectively and efficiently during an emergency. Until security control vulnerabilities\nare corrected, the IRS is jeopardizing the confidentiality, integrity, and availability of an\nincreasing volume of tax information for millions of taxpayers as application phases are put into\noperation.\nWe believe that these security vulnerabilities are significant because they affect the IRS\xe2\x80\x99 ability\nto 1) restrict access to only those individuals with a business need, 2) monitor activities for\nquestionable transactions, 3) protect data from unauthorized disclosure, and 4) ensure continued\noperation of the systems. Many of these same vulnerabilities have been designated as a\n\n\n\n\n                                                                                             Page 5\n\x0c                     The Internal Revenue Service Deployed the Modernized e-File\n                             System With Known Security Vulnerabilities\n\n\n\nbureau-wide material weakness 15 by the IRS. We also believe that the significance of these\nsecurity vulnerabilities is heightened because the MeF system is a critical modernized system\nthat will affect the future success of the IRS computing environment. If these issues are not\naddressed on modernized systems, these weaknesses will continue to exist.\nManagement Action: Subsequent to our audit fieldwork, the IRS provided us with the current\nstatus of the 13 vulnerabilities cited in our report. We plan to perform a followup review to\nevaluate the effectiveness of the IRS\xe2\x80\x99 corrective actions.\n     \xe2\x80\xa2   Seven security vulnerabilities (numbers 1, 2, 4, 5, 7, 8, and 11) have been resolved.\n     \xe2\x80\xa2   Two security vulnerabilities (numbers 3 and 12) were found to be invalid and closed.\n     \xe2\x80\xa2   Two security vulnerabilities (numbers 6 and 13) are unresolved, with one of the\n         vulnerabilities (number 13) to be resolved when MeF Release 5.5 deploys in\n         January 2009.\n     \xe2\x80\xa2   One security vulnerability (number 9) is partially resolved, with the remaining actions to\n         be completed in Fiscal Year 2009.\n     \xe2\x80\xa2   One security vulnerability (number 10) is being addressed by the Wage and Investment\n         Division Office of Electronic Tax Administration and Refundable Credits and the\n         Cybersecurity organization to develop a process to enable the review of exception audit\n         reports. Additional time is required to complete this process, and the target completion\n         date is December 31, 2008.\nWe identified two areas of concern as to why the MeF system was deployed with significant\nsecurity vulnerabilities.\n     \xe2\x80\xa2   The MeF project office did not prevent and resolve known security vulnerabilities before\n         deployment of the system, and the Submission Processing Executive Steering\n         Committee 16 approved milestone exits without giving adequate consideration to what we\n         view as significant security vulnerabilities on the system.\n\n\n\n15\n   The Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982 (31 U.S.C. Sections 1105, 1113, 3512 (2000)) requires\nthat each Federal Government agency conduct annual evaluations of its systems of internal accounting and\nadministrative control and submit an annual statement on the status of the agency\xe2\x80\x99s system of management controls.\nAs part of the evaluations, agency managers identify control areas that can be considered material weaknesses. The\nDepartment of the Treasury has defined a material weakness as \xe2\x80\x9cshortcomings in operations or systems which,\namong other things, severely impair or threaten the organization\xe2\x80\x99s ability to accomplish its mission or to prepare\ntimely, accurate financial statements or reports.\xe2\x80\x9d\n16\n   The charter for the Submission Processing Executive Steering Committee shows that its primary objective is to\nensure that project objectives are met, risks are appropriately managed, and expenditures of enterprise resources are\nfiscally sound.\n                                                                                                             Page 6\n\x0c                    The Internal Revenue Service Deployed the Modernized e-File\n                            System With Known Security Vulnerabilities\n\n\n\n     \xe2\x80\xa2   The Cybersecurity organization recommended, and the MeF system owner approved, that\n         the system be fully accredited 17 without giving adequate consideration to what we view\n         as significant security vulnerabilities on the system.\n\nPrevention and resolution of security vulnerabilities were not given adequate\nconsideration prior to deployment of the MeF system\nNIST Special Publication 800-53 specifies the recommended security controls for all Federal\nGovernment information systems. The IRS mandated that any business unit developing an\ninformation system must ensure that the system project office for the development effort has\nadequate security engineering expertise to properly address the planning and implementation of\nthe minimum security controls required for protection of the data residing on its systems.\nBecause of the criticality of the MeF system development, the IRS established a specific project\noffice for the system. The project office should ensure that security controls have been\nimplemented and security vulnerabilities have been mitigated or resolved during the Enterprise\nLife Cycle and prior to deployment.\nThroughout the Enterprise Life Cycle, the Submission Processing Executive Steering Committee\nhas the responsibility for final exit approval at each milestone. This Committee consists of\n15 IRS executives from all business operating divisions and is co-chaired by an executive from\nthe Wage and Investment Division and the Modernization and Information Technology Services\norganization. Governance by the Committee includes ensuring that projects adhere to accepted\nprinciples and practices of the Enterprise Life Cycle and resolving enterprise-wide issues for its\nprojects, such as the MeF system.\nThe decisions to approve milestone exits are based on the recommendation from the Enterprise\nLife Cycle Program Management Office, which conducts milestone readiness reviews. When\nsignificant security or privacy concerns exist, a conditional milestone exit might be\nrecommended and generally requires that the condition be corrected prior to the next milestone\nexit. Otherwise, the Submission Processing Executive Steering Committee will approve an\nunconditional exit approval and the system development proceeds to the next milestone effort.\nAs an example, in April 2006, the Director, Security Engineering Office, issued a memorandum\nto the Director, Tax Administration Modernization, and the Director, Infrastructure Shared\nServices, recommending that MeF system Release 4, milestone 4a exit be postponed for\n30 days. The postponement was due to two security risks traced in two prior releases\n(Release 3.2, milestone 4b and Release 4, milestone 2/3) and to the absence of a documented\nstrategy with dates of implementation, which created a \xe2\x80\x9chigh\xe2\x80\x9d risk scenario for the system. Once\nthe documented strategy was provided, the milestone exit was approved even though the security\nweaknesses remained.\n\n17\n  Accreditation is the official management decision given by the owner of an information system to authorize the\noperation of the system and to explicitly accept the risks.\n                                                                                                           Page 7\n\x0c                    The Internal Revenue Service Deployed the Modernized e-File\n                            System With Known Security Vulnerabilities\n\n\n\nDespite these requirements, we found that six 18 of the security vulnerabilities mentioned\npreviously were identified repeatedly during MeF system milestone reviews and were not\ncorrected. Rather, they were carried over from milestone to milestone, and some were even\ncarried over from release to release. The Submission Processing Executive Steering Committee,\nwhich has final milestone exit approval, signed off unconditionally on MeF system milestones\ndespite the existence of weaknesses repeatedly reported by the Security Engineering Office and\nthe Cybersecurity organization. The existence of these security vulnerabilities since earlier\nreleases indicates that security controls might not have been sufficiently considered during the\ndevelopment phase of the system.\nWe believe that the Submission Processing Executive Steering Committee was in the best\nposition to ensure that all significant security vulnerabilities were resolved or mitigated prior to\ndeployment. Unfortunately, for the security vulnerabilities discussed previously, the Committee\n1) did not provide sufficient oversight to ensure that security controls were implemented and\n2) decided to deploy the release despite the presence of repeatedly reported significant security\nvulnerabilities, as opposed to placing conditional restrictions on the release or delaying the\nsystem\xe2\x80\x99s release all together.\nOf the security vulnerabilities discussed previously, we are most concerned about the lack of\naudit logs, access controls, and disaster recovery capabilities in modernized systems. While it\nmight be understandable that older legacy systems cannot log transactions or comply with other\ncurrent security and privacy requirements, such as disaster recovery capabilities, due to older\ncomputer equipment, the IRS should ensure that these requirements are included in modernized\nsystems. According to the NIST, 19 any effort to install logging capabilities or other security\ncontrols after deployment of a system will likely cost significantly more than if the security\ncapabilities had been successfully designed into the system during the system development\nphase.\nWe believe that the lack of attention to security controls during developmental phases can be\ntraced to other business requirements, filing season pressures, and deployment demands. These\nconcerns have taken precedence over security concerns, and executive-level management was\nnot adequately engaged to ensure that security needs and requirements were being implemented.\nConsequently, the MeF system reached rollout dates without security controls, and accreditation\nofficials were put in the position of implementing a critical system with significant security flaws\nrather than delaying system deployment.\nThe IRS continues to struggle with addressing security vulnerabilities on modernized systems.\nWe identified some of these same vulnerabilities in prior audit reports on modernization projects.\nSpecifically, in Fiscal Year 2005, we reported that the IRS was not adequately considering\n\n18\n  Security control vulnerabilities numbers 1, 4, 9, 10, 11, and 13 listed on pages 3 through 5.\n19\n  Security Considerations in the Information Development Life Cycle, NIST Special Publication 800-64 Revision 1,\npublished June 2004.\n                                                                                                        Page 8\n\x0c                    The Internal Revenue Service Deployed the Modernized e-File\n                            System With Known Security Vulnerabilities\n\n\n\nsecurity controls early enough in the development phase of a system, including the MeF\nsystem. 20 We identified several inadequate security controls that should have been addressed in\nthe development phase, including security configurations, audit logs, and disaster recovery plans.\nIn Fiscal Years 2004 and 2006, we reported that audit logs for IRS modernized systems,\nincluding the MeF system, were not functioning. 21 IRS management agreed with most of our\nfindings and responded that they would ensure that security control requirements were planned\nfor early in the Enterprise Life Cycle process and that they were committed to addressing\ndeficiencies in audit logging on modernized systems.\nIn September 2008, we issued a report 22 regarding the deployment of the Customer Account Data\nEngine and the Account Management Services systems with known security vulnerabilities.\nSimilar to this report, the September 2008 report raised concerns over decisions made to approve\nmilestone exits and to accredit the systems for deployment.\n\nThe MeF system was accredited despite the existence of several known security\nvulnerabilities\nThe last step of the developmental process and the most critical key decision point prior to\ndeployment of a system is the accreditation by the system owner. In making the decision to\naccredit an information system, the system owner essentially accepts the risk of the system and\napproves the deployment and operation of the system. The system owner can give the system an\nauthority to operate, give the system an interim authority to operate for a period of time until\nsignificant deficiencies are corrected, or prevent the system from being deployed. 23 The system\nowner bases his or her accreditation decisions on several certification documents.\nDuring the certification process, the Cybersecurity organization develops a test plan based on the\nsystem security plan, performs the testing of application-specific security controls, and provides\nthe results in a security assessment report. The Cybersecurity organization also issues a\ncertification memorandum that provides a summary of the certification results and\n\n\n\n20\n   Security Controls Were Not Adequately Considered in the Development and Integration Phases of Modernization\nSystems (Reference Number 2005-20-128, dated August 2005).\n21\n   The Audit Trail System for Detecting Improper Activities on Modernized Systems Is Not Functioning (Reference\nNumber 2004-20-135, dated August 2004) and Improvements Are Needed to Ensure the Use of Modernization\nApplications Is Effectively Audited (Reference Number 2006-20-177, dated September 29, 2006).\n22\n   The Internal Revenue Service Deployed Two of Its Most Important Modernized Systems With Known Security\nVulnerabilities (Reference Number 2008-20-163, dated September 24, 2008).\n23\n   The NIST issued a draft revision to its Guide for Security Authorization of Federal Information Systems (Special\nPublication 800-37) in August 2008. This draft document will require only two options for a system authorization\ndecision. An agency can either provide an authorization to operate or a denial of authorization to operate. The\ncurrent \xe2\x80\x9cinterim authority to operate\xe2\x80\x9d designation will be phased out and replaced with an authorization to operate\nwith terms and conditions (i.e., limits and restrictions which must be followed by the system owner) and\nauthorization termination time limits.\n                                                                                                            Page 9\n\x0c                       The Internal Revenue Service Deployed the Modernized e-File\n                               System With Known Security Vulnerabilities\n\n\n\nrecommendation for the system owner to grant the authority to operate, grant an interim\nauthority to operate, or deny the authority to operate.\nDespite the presence of what we believe were significant unresolved security vulnerabilities on\nthe MeF system, the system owner gave the authorities to operate for the system and its database\ncomponent, the M-TRDB. In our opinion, the system owner should have given the MeF system\nan interim authority to operate in consideration of the excessive risk associated with these\nsecurity vulnerabilities, particularly the inabilities to prevent modifying critical system security\nsettings, to successfully recover the systems and their data in the event of a disaster, and to detect\nmalicious security events and unauthorized accesses to taxpayer data. The current cyber-threat\nenvironment in the Federal Government dictates the need for any significant system to have\nthese capabilities. As a result, we believe that the system owner\xe2\x80\x99s acceptance of excessive risk\nwas not reasonable.\nWe also disagree with the MeF system certification memoranda issued by the Cybersecurity\norganization, which recommended that the system owner grant an authority to operate. While\nthe certification memoranda mentioned the existence of security vulnerabilities on the systems,\nthe memorandum for MeF Release 4 stated, \xe2\x80\x9cWith your commitment to develop a plan to address\nand ultimately resolve all identified risks for the MeF application timely, I am recommending\nyou grant an Authorization to Operate for the MeF application.\xe2\x80\x9d We believe that the system\nowner relied heavily on the Cybersecurity organization\xe2\x80\x99s recommendation as well as the\nSubmission Processing Executive Steering Committee\xe2\x80\x99s exit approvals during the Enterprise Life\nCycle.\nAs stated previously, the IRS has designated computer security as a material weakness, which\nthe IRS has segregated into nine separate vulnerability areas: 1) network access controls;\n2) key computer applications and system access controls; 3) software configuration;\n4) functional business, operating, and program units security roles and responsibilities;\n5) segregation of duties between system and security administrators; 6) contingency planning\nand disaster recovery; 7) monitoring of key networks and systems; 8) security training; and\n9) certification and accreditation. By the IRS\xe2\x80\x99 own designation and admission, these computer\nsecurity areas are materially important, meaning that any security vulnerability within these areas\nis significant. While the IRS is working toward addressing these areas, we believe that the\nexistence of the computer security material weakness needs to be considered when making\ndecisions on system deployments.\nWe also believe that the IRS goal to certify and accredit all of its systems adversely affected the\norganization\xe2\x80\x99s ability to objectively evaluate the security posture of its systems, specifically with\nthe MeF system. NIST Special Publication 800-37 24 specifically states that systems with interim\nauthorities to operate cannot be considered accredited. As a result, the existence of systems with\ninterim authorities to operate might affect the agency in the following ways.\n\n24\n     Guide for the Security Certification and Accreditation of Federal Information Systems, published May 2004.\n                                                                                                           Page 10\n\x0c                     The Internal Revenue Service Deployed the Modernized e-File\n                             System With Known Security Vulnerabilities\n\n\n\n     \xe2\x80\xa2   The E-Government section in the President\xe2\x80\x99s Management Agenda initiative pertains to\n         the certification and accreditation of systems. Using the color-coded rating to determine\n         success levels, the President\xe2\x80\x99s Management Agenda allows an agency to achieve the\n         optimum \xe2\x80\x9cgreen\xe2\x80\x9d status only if the agency maintained 100 percent of its systems as\n         certified and accredited.\n     \xe2\x80\xa2   The Federal Information Security Management Act 25 includes an evaluative section on\n         the number of agency systems that have been certified and accredited. This percentage\n         affects the agency\xe2\x80\x99s overall grade.\n     \xe2\x80\xa2   The Office of Management and Budget requires completion of the Exhibit 300 26 to\n         comply with the Clinger-Cohen Act of 1996. 27 Any operational system that has not been\n         certified and accredited might not have its proposed budget approved for funding by the\n         Office of Management and Budget.\n\nRecommendations\nRecommendation 1: The Submission Processing Executive Steering Committee should\nconsider all security vulnerabilities, including those associated with general support systems, that\naffect the overall security of the MeF system and the M-TRDB before approving milestone exits.\n         Management\xe2\x80\x99s Response: IRS management agreed with this recommendation.\n         They will continue to follow the governance process documented in the Submission\n         Processing Executive Steering Committee charter, which includes review of all security\n         vulnerabilities, before milestone exits and will document milestone exit review\n         discussions in the Submission Processing Executive Steering Committee meeting\n         minutes.\nRecommendation 2: The Commissioner, Wage and Investment Division, and the Chief\nInformation Officer should provide more emphasis to both preventing and resolving security\nvulnerabilities identified during Enterprise Life Cycle processes to the MeF system project\noffice.\n         Management\xe2\x80\x99s Response: IRS management agreed with this recommendation.\n         They will continue to follow the existing Enterprise Life Cycle processes for identifying,\n         confirming, and resolving security vulnerabilities at the requirements, design,\n         developmental, and testing life cycle stages, with an increased emphasis in both\n\n25\n   Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n26\n   Exhibit 300 is the primary tool for capital planning and investment control in the Federal Government.\n27\n   (Federal Acquisition Reform Act of 1996) (Information Technology Management Reform Act of 1996),\nPub. L. No. 104-106, 110 Stat. 642 (codified in scattered sections of 5 U.S.C., 5 U.S.C. app., 10 U.S.C., 15 U.S.C.,\n16 U.S.C., 18 U.S.C., 22 U.S.C., 28 U.S.C., 29 U.S.C., 31 U.S.C., 38 U.S.C., 40 U.S.C., 41 U.S.C., 42 U.S.C.,\n44 U.S.C., 49 U.S.C., 50 U.S.C.).\n                                                                                                            Page 11\n\x0c                    The Internal Revenue Service Deployed the Modernized e-File\n                            System With Known Security Vulnerabilities\n\n\n\n        preventing and resolving security vulnerabilities identified during the Enterprise Life\n        Cycle. They will also strengthen the process for capturing and documenting meeting\n        minutes.\nRecommendation 3: The Director, Electronic Tax Administration and Refundable Credits,\nWage and Investment Division, as the MeF system owner, should approve interim authorities to\noperate when significant security control weaknesses exist in system environments. These\ninterim authorities to operate should contain specific terms and conditions in accordance with\nIRS policy that must be met, including corrective actions to be taken by the information system\nowners and a required time period for completion of the corrective actions, before authorities to\noperate are granted. 28\n        Management\xe2\x80\x99s Response: IRS management agreed with this recommendation.\n        They will continue to operate in accordance with policies and procedures, which state\n        that the Designated Approving Authority verifies that security assessments are conducted\n        to determine that security controls are operating effectively, correctly implemented, and\n        meeting security requirements of the system. If and when they find that significant\n        control weaknesses exist in the system environments, they will issue an interim authority\n        to operate with the appropriate timelines based on the level of risk.\n        Office of Audit Comment: Although the IRS agreed with all of our\n        recommendations, its related corrective actions are focused on continuing to follow\n        existing processes or strengthening current processes. As stated in the report, we believe\n        that the existing security vulnerabilities were not caused by process deficiencies. Instead,\n        IRS offices did not carry out their responsibilities for ensuring that security weaknesses\n        were corrected before deployment.\n\n\n\n\n28\n  As stated previously, the August 2008 draft NIST Special Publication 800-37 has replaced interim authority to\noperate with an authorization to operate with terms, conditions, and termination dates.\n\n\n\n\n                                                                                                         Page 12\n\x0c                    The Internal Revenue Service Deployed the Modernized e-File\n                            System With Known Security Vulnerabilities\n\n\n\n                                                                                                Appendix I\n\n         Detailed Objective, Scope, and Methodology\n\nThe overall objective of the review was to determine whether appropriate security controls have\nbeen implemented in the MeF system. 1 To accomplish our objective, we:\nI.      Determined whether appropriate security controls had been considered and included in\n        the MeF system and the M-TRDB.\n        A. Reviewed the security categorization criteria prescribed by the Standards for Security\n           Categorization of Federal Information and Information Systems (Federal Information\n           Processing Standards Publication 199, published February 2004) and Guide for\n           Mapping Types of Information and Information Systems to Security Categories (NIST\n           Special Publication 800-60 Volume 1, published June 2004) and determined whether\n           the security categorizations the IRS assigned to the MeF system and the M-TRDB\n           were documented and supported.\n        B. Compared the minimum security controls in the Recommended Security Controls for\n           Federal Information Systems (NIST Special Publication 800-53 Revision 1, published\n           December 2006) to the security controls listed in the system security plans for the\n           MeF system Release 4 and the M-TRDB and determined whether all minimum\n           security controls were included.\n        C. Determined whether security controls were integrated early in MeF system Release 4\n           and the M-TRDB development life cycles to be cost effective.\nII.     Determined whether the security controls were fully tested by an independent test team as\n        prescribed in the Guide for the Security Certification and Accreditation of Federal\n        Information Systems (NIST Special Publication 800-37, published May 2004).\nIII.    Determined whether the security assessment reports were prepared in accordance with\n        NIST Special Publication 800-37.\nIV.     Determined whether the MeF system and the M-TRDB are continually monitored to\n        ensure that they are configured in accordance with the security policies.\nV.      Obtained supporting documentation for closed recommendations in two prior Treasury\n        Inspector General for Tax Administration audit reports and determined whether\n\n\n1\n  The MeF system will provide a single method for filing all IRS tax returns, information returns, forms, and\nschedules via the Internet. The M-TRDB, a component of the MeF system, is the authoritative store of accepted\nreturns and extensions submitted through the MeF system.\n                                                                                                        Page 13\n\x0c         The Internal Revenue Service Deployed the Modernized e-File\n                 System With Known Security Vulnerabilities\n\n\n\ncorrective actions were completed and effective. The two reports were Security Controls\nWere Not Adequately Considered in the Development and Integration Phases of\nModernization Systems (Reference Number 2005-20-128, dated August 2005) and\nImprovements Are Needed to Ensure the Use of Modernization Applications Is Effectively\nAudited (Reference Number 2006-20-177, dated September 29, 2006).\n\n\n\n\n                                                                               Page 14\n\x0c                The Internal Revenue Service Deployed the Modernized e-File\n                        System With Known Security Vulnerabilities\n\n\n\n                                                                               Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Acting Assistant Inspector General for Audit (Security and Information\nTechnology Services)\nPreston B. Benoit, Acting Assistant Inspector General for Audit (Information Systems Programs)\nSteve Mullins, Director\nKent Sagara, Audit Manager\nEsther Wilson, Lead Auditor\nCharles Ekunwe, Senior Auditor\nJacqueline Nguyen, Senior Auditor\n\n\n\n\n                                                                                      Page 15\n\x0c                The Internal Revenue Service Deployed the Modernized e-File\n                        System With Known Security Vulnerabilities\n\n\n\n                                                                 Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nChief Information Officer OS:CIO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Commissioner, Wage and Investment Division SE:W\n       Chief Information Officer OS:CIO\n\n\n\n\n                                                                       Page 16\n\x0c    The Internal Revenue Service Deployed the Modernized e-File\n            System With Known Security Vulnerabilities\n\n\n\n                                                    Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                           Page 17\n\x0cThe Internal Revenue Service Deployed the Modernized e-File\n        System With Known Security Vulnerabilities\n\n\n\n\n                                                       Page 18\n\x0cThe Internal Revenue Service Deployed the Modernized e-File\n        System With Known Security Vulnerabilities\n\n\n\n\n                                                       Page 19\n\x0c'